Add support for oCIS - ownCloud Infinite Scale

[dkocher]

New concept of spaces accessible using LibreGraph

• Generate from Swagger Spec the implementation to retrieve drives for a user
• Reuse our current Microsoft Graph Client implementation.

oCIS uses WebFinger RFC7033 to locate the oCIS instance for an End-User.

• Discovery of endpoint with https://owncloud.dev/ocis/storage_registry_discovery/
• Depends on minimal webfinger owncloud/ocis#5373

Now uses OAuth for authentication. Must discover the OAuth endpoints somehow.

• Obtain OpenID configuration from /.well-known/openid-configuration as defined by OpenID Connect Discovery
• Dynamically register client application using OpenID Connect Dynamic Client Registration
• Depends on support dynamic client registration owncloud/ocis#5498

[dkocher]

With #14877 we allow to configure usage of OAuth for WebDAV connections in connection profiles.

[michaelstingl]

Legacy OAuth 2.0 vs Basic Auth detection (still works in oC10 + oCIS as of today)

In an unauthenticated PROPFIND to the WebDAV endpoint, ownCloud clients check for Www-Authenticate: Bearer header.

curl -s -I --http1.1 "https://demo.owncloud.org/remote.php/dav/files/" | grep -i -e "HTTP/" -e "www-authenticate"
HTTP/1.1 401 Unauthorized
Www-Authenticate: Basic realm="ownCloud", charset="UTF-8"

➡️ ownCloud clients use Basic Auth

curl -s -I --http1.1 "https://demo.owncloud.com/remote.php/dav/files/" | grep -i -e "HTTP/" -e "www-authenticate"
HTTP/1.1 401 Unauthorized
Www-Authenticate: Bearer realm="ownCloud"
Www-Authenticate: Basic realm="ownCloud", charset="UTF-8"

➡️ ownCloud clients use OAuth 2.0 (if there's no trace of OpenID connect)
➡️ open /index.php/apps/oauth2/authorize in web UI

Here you can find more information:

• https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

Legacy OpenID Connect detection (still works in oC10 + oCIS as of today)

After Www-Authenticate: Bearer was detected, ownCloud clients check for /.well-known/openid-configuration on that instance, mirrored from the IdP.

After detection of /.well-known/openid-configuration, ownCloud clients proceed with the instructions provided there.

curl -s --http1.1 "https://ocis.ocis-traefik.latest.owncloud.works/.well-known/openid-configuration" | jq | grep -i "authorization_endpoint"
  "authorization_endpoint": "https://ocis.ocis-traefik.latest.owncloud.works/signin/v1/identifier/_/authorize",

[michaelstingl]

New, Webfinger based OpenId Connect discovery

Latest oCIS versions and latest ownCloud clients perform an unauthenticated GET request to the /.well-known/webfinger. It tells them where to authenticate and get tokens.

Here you can find more information ¹.

Footnotes

1. https://owncloud.dev/services/webfinger/#openid-connect-discovery ↩

[dkocher]

The LibreGraph API seems to miss support for versioning ¹. That will not allow us to replace the OCS API implementation currently used.

Footnotes

1. https://owncloud.dev/ocis/adr/0007-api-for-spaces/#open-topics ↩

[dkocher]

The LibreGraph API seems to miss support for versioning 1. That will not allow us to replace the OCS API implementation currently used.

Footnotes

1. https://owncloud.dev/ocis/adr/0007-api-for-spaces/#open-topics ↩

The DAV meta API is used for the versions and is considered future proof.